Azure AD as IDP for frontend with multiple backends

Jens Popp 1 Reputation point
2022-08-02T06:57:00.407+00:00

Hi,
I'm trying to implement the following OAuth/OIDC scenario:

We have a frontend webapp. This webapp has for a user certain roles (e.g., is the user allowed to make changes in the configuration or not,...) Besides that the webapp calls multiple rest endpoints. The user can have different roles for each of these endpoints. The roles restrict the areas a user can work in (so same entity but different context per user). All applications run on premise (not in the Azure cloud), they only consume the tokens provided by an IDP.

In the past we had an IDP which supported multiple audiences. So we could get all necessary roles for the user with one call in one token. As far as I read this is currently not supported in Azure (considered insecure). The OBO flow might work (haven't tried this) but I'm not sure, if it can handle the different rights/roles for the backend services. As far as I read it goes to the .default scope... It would also cause massive changes in the backend services, since they also might call each other (so would need to implement OBO for each). Additionally the frontend runs scheduler tasks with their own rights (client credential grant flows), which would not be covered by the OBO flow.

So any help to find the correct concept for Azure IDP would be appreciated.

Best Regards
Jens

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,688 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2022-08-04T08:44:44.803+00:00

    Hi @Jens Popp • Thank you for reaching out.

    As of now, Azure AD doesn't support multiple audiences in a single token. There is no tweak or workaround currently available for this purpose as well.

    Our product team is investigating using dpop, a proof of possession scheme, to securely support multi-audience tokens that are sender constrained. At this time though, the unbound multi-audience tokens are considered a security threat, which is why it is not supported. Multi-audience bearer tokens can be replayed from one audience to the other insecurely, allowing an attacker who compromises one service to expand their footprint unnecessarily.

    So, to use Azure AD as IDP for multiple backend applications, separate app registrations are required to be done in Azure AD for each backend application and then configure every backend application to use its own app registered in Azure AD.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.